Compare commits

..

27 Commits

Author SHA1 Message Date
Anders Fugmann
a0e698f749 unify Kotlin test suites: rename test-kotlin2 to test-kotlin
Rename java/ql/test-kotlin2 to java/ql/test-kotlin (codeql/java-kotlin-tests)
and delete java/ql/test-kotlin1. The unified suite is the K2 test suite
(test-kotlin2) with expected files already updated by the preceding extractor
commits to converge K1 and K2 output.

The suite runs in both language modes via the test runner:
  * K1 mode  — CODEQL_KOTLIN_LEGACY_TEST_EXTRACTION_KOTLIN2 unset  → -language-version 1.9
  * K2 mode  — CODEQL_KOTLIN_LEGACY_TEST_EXTRACTION_KOTLIN2=true   → -language-version 2.0

Update CODEOWNERS and labeler.yml to reference test-kotlin.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-08 17:14:47 +02:00
Anders Fugmann
7ad604696d fix property and accessor locations using PSI
K1 IrProperty.startOffset includes leading modifiers (private, abstract,
lateinit, annotations) in the span start; K2 already starts at val/var.
Walk the PSI tree from p.startOffset to the enclosing KtProperty, then
use valOrVarKeyword.startOffset as the declaration start. This yields a
consistent location spanning val/var through the end of the full property
declaration (including explicit getter/setter bodies) in both K1 and K2.

The PSI-based location is restricted to unspecialised extractions
(classTypeArgsIncludingOuterClasses.isNullOrEmpty()). Specialised generic
instances (e.g. C<String>.prop) continue to use the binary whole-file
location returned by getLocation(p, typeArgs), preserving the existing
behaviour that keeps them absent from fromSource() queries.

Synthesised accessors (DEFAULT_PROPERTY_ACCESSOR origin) represent the
entire property declaration, so they now share the property's location
via accessorOverride(). Explicit getter/setter bodies keep their own
independently computed location.

The visibility merge in extractFunction is extended to accept an
overriddenAttributes parameter from the caller; the internal fake-override
visibility adjustment (DescriptorVisibilities.PUBLIC for Java binary Object
methods) is merged with any caller-supplied attributes so that neither
overrides the other silently.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-08 17:12:58 +02:00
Anders Fugmann
701db590ee kotlin-extractor: fix K1 local variable locations to span from val/var to initializer
In K1 mode, IrVariable.startOffset points to the name identifier and
IrVariable.endOffset is also at the name end, giving a location that
covers only the variable name (e.g. "local1") rather than the full
declaration ("val local1 = 2 + 3").

In K2 mode the IR offsets already point from the val/var keyword to the
end of the initializer, matching the intuitive source span.

Fix this for K1 by adding an IrVariable-specific overload of
getPsiBasedLocation that:
1. finds the leaf PSI element at v.startOffset (the name identifier)
2. walks up to the enclosing KtVariableDeclaration (KtProperty)
3. uses the val/var keyword position as the start offset to exclude
   any leading annotations from the span

This matches the K2 IR behavior and gives a more complete location for
variable declarations when used in CodeQL queries.

The fix applies to both K1 and K2 since the overload is unconditional;
for K2 the walk-up gives the same result as before.

Expected updates in test-kotlin1:
- variables: local variable locations now span from val/var to initializer
- exprs, stmts, methods, modifiers, reflection: same local variable span
- controlflow/basic: CFG node references updated for new variable spans
  (the "var ...;" node now starts at the val/var keyword)

Class member and top-level properties (IrProperty, not IrVariable) are
not affected by this change and retain their existing location behaviour.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-08 15:04:55 +02:00
Anders Fugmann
0409d3e97c kotlin-extractor: fix NotNullExpr start offset to span from operand
In K1 mode, the IrCall node for the !! operator stores startOffset at
the '!' character rather than at the start of the operand. This means
that x!! was previously reported as spanning from '!' to the end of the
expression, omitting the operand from the location.

Fix this by computing the NotNullExpr location from the value argument's
startOffset (the operand) to c.endOffset. This matches the K2 behaviour
where the IrCall.startOffset already points at the operand.

The fix guards against invalid (< 0) offsets on either side and falls
back to the default IrCall location in those cases.

Updated expected files in test-kotlin1:
- exprs/unaryOp.expected: !! locations now start at operand column
- exprs/exprs.expected: same (NotNullExpr entries corrected)
- exprs/binop.expected: !! child locations now correct (parent binop
  location for s!!.plus(5) still differs due to a separate K1 IR
  limitation where the enclosing call inherits the wrong receiver offset)
- controlflow/basic/bbStmts.expected: CFG references to !! now use the
  improved location
- controlflow/basic/getASuccessor.expected: same

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-08 15:04:55 +02:00
Anders Fugmann
41d475b6c2 kotlin-extractor: PSI-backed source locations for expression-level nodes
K1 and K2 IR backends compute source locations differently. K1 uses the IR
node's synthetic startOffset/endOffset, while K2 reconstructs source positions
from PSI. For expression-level nodes this causes location differences across
the two language modes.

Introduce PSI-backed location lookup as the preferred source for spans wherever
PSI is available:

  getPsiBasedLocation(element) ?: tw.getLocation(element)

getPsiBasedLocation() resolves the PSI element for the IR node via
psi2Ir.findPsiElement() and builds a location from its startOffset..endOffset.
currentIrFile is tracked in extractFileContents so the PSI lookup has the
file context it needs.

Applied to expression-level nodes (both K1 and K2 modes):
- local variable declarations (extractVariable, extractVariableExpr)
- IrLocalDelegatedProperty blocks
- IrWhen expressions and when-branches
- IrGetValue (varaccess) expressions
- IrFunctionExpression (lambda) nodes
- Block statements (extractBlock)
- this/super access expressions (extractThisAccess)
- String literals

Declaration-level nodes (class, function, property) are guarded with
if (usesK2) to avoid a regression in K1 mode where the PSI lookup causes
parameterised type instantiations to appear as fromSource(), inflating
generic-type query results. The K1 IR frontend does not map all declaration
nodes cleanly to source PSI elements; for these nodes we keep the original
IR-based location in K1 mode.

Expected output changes (both suites):
- controlflow/basic/bbStmts, bbStrictDominance, bbSuccessor, getASuccessor,
  strictDominance: when-branch and varaccess location improvements
- java-kotlin-collection-type-generic-methods/test: new stdlib entries from
  JDK update (AbstractCollection<Runnable> methods)
- annotation_classes/PrintAst: variable access location improvement in K1
- classes/genericExprTypes: location improvement in K1
- compilation-units/cus: removed two internal JDK inner-class entries (stdlib
  version change)
- reflection/reflection: removed a few external-class entries (stdlib version)

Verified: all 285 tests pass for both test-kotlin1 (kotlinc 2.3.20 / K1) and
test-kotlin2 (kotlinc 2.4.0 / K2).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-08 15:04:54 +02:00
Anders Fugmann
b148494dbf kotlin tests: sync dataflow/foreach test inputs and K2 expected output
Copy K1's richer C2.kt (which includes test2, test3 and l.get(0) in test)
into test-kotlin2. K2 in -language 2.0 mode already tracks dataflow through
array.set() and indirect wrapper calls, so the additional tests produce results
identical to K1.

The expected files for test-kotlin1 and test-kotlin2 are now byte-identical for
this test.

Verified:
- test-kotlin1 (kotlinc 2.3.20 / -language 1.9): all tests pass
- test-kotlin2 (kotlinc 2.4.0 / -language 2.0): all tests pass

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-08 15:04:54 +02:00
Anders Fugmann
a0922638a3 kotlin tests: sync generated-throws.kt source between test-kotlin1 and test-kotlin2
Remove the K1-only comment '// This doesn't generate a throw statement in
Kotlin 1 mode' from test-kotlin1/library-tests/generated-throws/generated-throws.kt
so the source files are byte-identical between the two suites.

The expected outputs still legitimately differ: in K2 mode the compiler generates
an implicit throw NoWhenBranchMatchedException for the exhaustive sealed-class when
expression, but the K1 frontend does not emit this node. This is a mode-specific
behaviour difference that cannot be bridged by an extractor change.

Both tests continue to pass:
- test-kotlin1 (kotlinc 2.3.20 / -language 1.9): 0 throw results (unchanged)
- test-kotlin2 (kotlinc 2.4.0 / -language 2.0): 1 throw result (unchanged)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-08 15:04:53 +02:00
Anders Fugmann
d941557d74 kotlin extractor: fold unaryMinus(IrConst) into a signed literal in K2
In K2 mode the frontend emits `-123L` as IrCall(unaryMinus, IrConst(123L))
rather than IrConst(-123L) as in K1. Queries that search for negative numeric
literals therefore need to match both a UnaryMinusExpr wrapping a literal and a
plain literal, depending on language mode.

Fix: when extractCallExpression encounters an isNumericFunction(unaryMinus) call
whose dispatchReceiver is already an IrConst, fold the negation into the constant
before extracting. The resulting literal node is identical to what K1 emits.

Location: extend the span one character to the left to cover the `-` sign.
In K2 the IrCall's startOffset equals the receiver's startOffset, so we recover
the minus by subtracting one from the receiver offset.

K1 is unaffected: the K1 frontend folds the sign into the constant before IR
generation, so this new branch never triggers when compiling with -language 1.9.

Expected output changes:
- test-kotlin2/library-tests/literals/literals.expected: negative long, float and
  double literals now appear as plain typed literals instead of as UnaryMinus nodes.
  The file is now byte-identical to test-kotlin1/library-tests/literals/literals.expected.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-08 15:04:53 +02:00
Anders Fugmann
86710a24e5 kotlin tests: synchronise test inputs between test-kotlin1 and test-kotlin2
- Port ministdlib from test-kotlin1 to test-kotlin2. The ministdlib test
  exercises a minimal Kotlin standard library written from scratch. Its
  options file is updated to include -language-version 2.0 so the test
  runs in K2 mode when the K2 compiler is active.

- Port nested_types from test-kotlin2 to test-kotlin1. The nested_types
  test exercises type-alias and inner-type queries. Expected output is
  identical in K1 and K2 modes so no expected-file changes are needed.

- Add test-kotlin2/options with codeql-extractor-kotlin-options:
  -language-version 2.0. The CodeQL CLI adds -language-version 1.9 by
  default in legacy test extraction mode. Without this override the K2
  test suite would run in K1 mode, defeating the purpose of the split.

Both ministdlib and nested_types produce byte-identical expected output
across K1 (2.3.20, -language-version 1.9) and K2 (2.4.0, default K2).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-08 15:04:52 +02:00
Owen Mansel-Chan
134e30260d Merge pull request #22119 from owen-mc/java/fix-tainted-path-pattern-sanitization
Java: fix `@Pattern` sanitization for `java/path-injection`
2026-07-08 11:37:15 +01:00
Owen Mansel-Chan
a16e19a3b1 Merge pull request #22127 from owen-mc/cpp/convert-qlref-inline-expectations
C++: Convert qlref tests to inline expectations
2026-07-08 11:36:35 +01:00
Owen Mansel-Chan
69ed2da241 Merge pull request #22134 from github/workflow/coverage/update
Update CSV framework coverage reports
2026-07-08 11:19:06 +01:00
github-actions[bot]
bc966f62e2 Add changed framework coverage reports 2026-07-08 00:38:59 +00:00
Owen Mansel-Chan
8363d2d66d Merge pull request #22132 from joshimar/java/spring-webclient-uri-ssrf-sink
Java: Model Spring reactive `WebClient.uri` as a request forgery sink
2026-07-08 00:40:33 +01:00
Luis Azanza
b8f8370c33 Update java/ql/lib/change-notes/2026-06-30-spring-webclient-uri-ssrf.md
Update change note to be more technically accurate

Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
2026-07-07 16:21:09 -07:00
Luis Azanza
6ff2a4c0d6 Apply suggestion from @owen-mc
Removing Apple Inc notice per feedback provided by GitHub

Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
2026-07-07 16:10:05 -07:00
Luis Azanza
1db31327a7 Java: Model Spring reactive WebClient.uri as a request forgery sink 2026-07-07 13:30:48 -07:00
Owen Mansel-Chan
19745e13b5 Fix some lines with // $ ... // $ MISSING:
Note that when a line is marked `// BAD [NOT DETECTED]` but actually has
an alert, I assume that the `[NOT DETECTED]` is outdated and should be
deleted.
2026-07-07 20:48:39 +01:00
Owen Mansel-Chan
9d9590623d Address review comments 2026-07-07 20:48:36 +01:00
Owen Mansel-Chan
a812e4aa99 Refactor creating barriers with annotations 2026-07-07 12:44:19 +01:00
Owen Mansel-Chan
fa16728522 Fix comments in one test 2026-07-07 12:06:43 +01:00
Owen Mansel-Chan
76d8ae8694 Add MISSING: tag 2026-07-07 10:59:21 +01:00
Owen Mansel-Chan
843ac7c6b0 Add SPURIOUS: tags 2026-07-07 10:54:11 +01:00
Owen Mansel-Chan
a2c5d4c818 C++: Convert qlref tests to inline expectations 2026-07-07 09:49:50 +01:00
Owen Mansel-Chan
e5bd62dbd3 Add change note 2026-07-03 11:34:11 +01:00
Owen Mansel-Chan
76b4f4f223 Fix @Pattern sanitizer for TaintedPath 2026-07-03 11:34:06 +01:00
Owen Mansel-Chan
077b531e41 Add failing TaintedPath test for @Pattern sanitizer 2026-07-03 11:34:03 +01:00
2007 changed files with 4821 additions and 37494 deletions

2
.github/labeler.yml vendored
View File

@@ -20,7 +20,7 @@ JS:
Kotlin:
- java/kotlin-extractor/**/*
- java/ql/test-kotlin*/**/*
- java/ql/test-kotlin/**/*
Python:
- python/**/*

View File

@@ -28,8 +28,7 @@
/swift/extractor/ @github/codeql-swift @github/code-scanning-language-coverage
/misc/codegen/ @github/codeql-swift
/java/kotlin-extractor/ @github/codeql-kotlin @github/code-scanning-language-coverage
/java/ql/test-kotlin1/ @github/codeql-kotlin
/java/ql/test-kotlin2/ @github/codeql-kotlin
/java/ql/test-kotlin/ @github/codeql-kotlin
# Experimental CodeQL cryptography
**/experimental/**/quantum/ @github/ps-codeql

View File

@@ -1 +1,2 @@
jsf/4.13 Functions/AV Rule 107.ql
query: jsf/4.13 Functions/AV Rule 107.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -1 +1,2 @@
Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
query: Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -48,7 +48,7 @@ void test1()
void test2()
{
Lock<Mutex> myLock(); // BAD (interpreted as a function declaration, this does nothing)
Lock<Mutex> myLock(); // $ Alert[cpp/function-in-block] // BAD (interpreted as a function declaration, this does nothing)
// ...
}
@@ -62,14 +62,14 @@ void test3()
void test4()
{
Lock<Mutex>(myMutex); // BAD (creates an uninitialized variable called `myMutex`, probably not intended)
Lock<Mutex>(myMutex); // $ Alert[cpp/local-variable-hides-global-variable] // BAD (creates an uninitialized variable called `myMutex`, probably not intended)
// ...
}
void test5()
{
Lock<Mutex> myLock(Mutex); // BAD (interpreted as a function declaration, this does nothing)
Lock<Mutex> myLock(Mutex); // $ Alert[cpp/function-in-block] // BAD (interpreted as a function declaration, this does nothing)
// ...
}
@@ -86,7 +86,7 @@ public:
void test7()
{
Lock<Mutex>(memberMutex); // BAD (creates an uninitialized variable called `memberMutex`, probably not intended) [NOT DETECTED]
Lock<Mutex>(memberMutex); // $ MISSING: Alert // BAD (creates an uninitialized variable called `memberMutex`, probably not intended) [NOT DETECTED]
// ...
}

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
query: experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -19,7 +19,7 @@ void test1(int p)
{
sys_somesystemcall(&p);
unsafe_put_user(123, &p); // BAD [NOT DETECTED]
unsafe_put_user(123, &p); // $ MISSING: Alert // BAD [NOT DETECTED]
}
void test2(int p)
@@ -40,7 +40,7 @@ void test3()
sys_somesystemcall(&v);
unsafe_put_user(123, &v); // BAD [NOT DETECTED]
unsafe_put_user(123, &v); // $ MISSING: Alert // BAD [NOT DETECTED]
}
void test4()
@@ -68,7 +68,7 @@ void test5()
sys_somesystemcall(&myData);
unsafe_put_user(123, &(myData.x)); // BAD [NOT DETECTED]
unsafe_put_user(123, &(myData.x)); // $ MISSING: Alert // BAD [NOT DETECTED]
}
void test6()

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
query: experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -3,6 +3,6 @@ void workFunction_0(char *s) {
char buf[80], buf1[8];
if(len<0) return;
memset(buf,0,len); //GOOD
memset(buf1,0,len1); //BAD
memset(buf1,0,len1); // $ Alert //BAD
if(len1<0) return;
}

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-078/WordexpTainted.ql
query: experimental/Security/CWE/CWE-078/WordexpTainted.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -19,14 +19,14 @@ enum {
int wordexp(const char *restrict s, wordexp_t *restrict p, int flags);
int main(int argc, char** argv) {
int main(int argc, char** argv) { // $ Source
char *filePath = argv[2];
{
// BAD: the user string is injected directly into `wordexp` which performs command substitution
wordexp_t we;
wordexp(filePath, &we, 0);
wordexp(filePath, &we, 0); // $ Alert
}
{

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
query: experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -20,7 +20,7 @@ void myFclose(FILE * fmy)
int main(int argc, char *argv[])
{
fe = fopen("myFile.txt", "wt");
fclose(fe); // BAD
fclose(fe); // $ Alert // BAD
fe = fopen("myFile.txt", "wt");
myFclose(fe); // GOOD
return 0;

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
query: experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -11,7 +11,7 @@ void workFunction_0(char *s) {
while(intIndex > 2)
{
buf[intIndex] = 1;
int intIndex; // BAD
int intIndex; // $ Alert // BAD
intIndex--;
}
intIndex = 10;

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
query: experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -8,7 +8,7 @@ int strlen(const char *string);
// the following function is homebrew crypto written for this test. This is a bad algorithm
// on multiple levels and should never be used in cryptography.
void encryptString(char *string, unsigned int key) {
void encryptString(char *string, unsigned int key) { // $ Alert
char *ptr = string;
int len = strlen(string);
@@ -27,7 +27,7 @@ void encryptString(char *string, unsigned int key) {
// the following function is homebrew crypto written for this test. This is a bad algorithm
// on multiple levels and should never be used in cryptography.
void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int dataSize, unsigned int key[2]) {
void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int dataSize, unsigned int key[2]) { // $ Alert
unsigned int state[2];
unsigned int t;
@@ -48,7 +48,7 @@ void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int d
// the following function resembles an implementation of the AES "mix columns"
// step. It is not accurate, efficient or safe and should never be used in
// cryptography.
void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) {
void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) { // $ Alert
// The "mix columns" step takes four bytes as inputs. Each byte represents a
// polynomial with 8 one-bit coefficients, e.g. input bits 00001101
// represent the polynomial x^3 + x^2 + 1. Arithmetic is reduced modulo
@@ -80,7 +80,7 @@ void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) {
// the following function resembles initialization of an S-box as may be done
// in an implementation of DES, AES and other encryption algorithms. It is not
// accurate, efficient or safe and should never be used in cryptography.
void init_aes_sbox(unsigned char data[256]) {
void init_aes_sbox(unsigned char data[256]) { // $ Alert
// initialize `data` in a loop using lots of ^, ^= and << operations and
// a few fixed constants.
unsigned int state = 0x12345678;

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
query: experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -63,7 +63,7 @@ static void badTest1(const char* ptr)
int ret;
int len;
len = strlen(ptr);
for (wchar_t wc; (ret = mbtowc(&wc, ptr, 4)) > 0; len-=ret) { // BAD:we can get unpredictable results
for (wchar_t wc; (ret = mbtowc(&wc, ptr, 4)) > 0; len-=ret) { // $ Alert // BAD:we can get unpredictable results
wprintf(L"%lc", wc);
ptr += ret;
}
@@ -73,7 +73,7 @@ static void badTest2(const char* ptr)
int ret;
int len;
len = strlen(ptr);
for (wchar_t wc; (ret = mbtowc(&wc, ptr, sizeof(wchar_t))) > 0; len-=ret) { // BAD:we can get unpredictable results
for (wchar_t wc; (ret = mbtowc(&wc, ptr, sizeof(wchar_t))) > 0; len-=ret) { // $ Alert // BAD:we can get unpredictable results
wprintf(L"%lc", wc);
ptr += ret;
}
@@ -103,7 +103,7 @@ static void badTest3(const char* ptr,int wc_len)
len = wc_len;
wchar_t *wc = new wchar_t[wc_len];
while (*ptr && len > 0) {
ret = mbtowc(wc, ptr, MB_CUR_MAX); // BAD
ret = mbtowc(wc, ptr, MB_CUR_MAX); // $ Alert // BAD
if (ret <0)
break;
if (ret == 0 || ret > len)
@@ -120,7 +120,7 @@ static void badTest4(const char* ptr,int wc_len)
len = wc_len;
wchar_t *wc = new wchar_t[wc_len];
while (*ptr && len > 0) {
ret = mbtowc(wc, ptr, 16); // BAD
ret = mbtowc(wc, ptr, 16); // $ Alert // BAD
if (ret <0)
break;
if (ret == 0 || ret > len)
@@ -137,7 +137,7 @@ static void badTest5(const char* ptr,int wc_len)
len = wc_len;
wchar_t *wc = new wchar_t[wc_len];
while (*ptr && len > 0) {
ret = mbtowc(wc, ptr, sizeof(wchar_t)); // BAD
ret = mbtowc(wc, ptr, sizeof(wchar_t)); // $ Alert // BAD
if (ret <0)
break;
if (ret == 0 || ret > len)
@@ -155,7 +155,7 @@ static void badTest6(const char* ptr,int wc_len)
len = wc_len;
wchar_t *wc = new wchar_t[wc_len];
while (*ptr && wc_len > 0) {
ret = mbtowc(wc, ptr, wc_len); // BAD
ret = mbtowc(wc, ptr, wc_len); // $ Alert // BAD
if (ret <0)
if (checkErrors()) {
++ptr;
@@ -178,7 +178,7 @@ static void badTest7(const char* ptr,int wc_len)
len = wc_len;
wchar_t *wc = new wchar_t[wc_len];
while (*ptr && wc_len > 0) {
ret = mbtowc(wc, ptr, len); // BAD
ret = mbtowc(wc, ptr, len); // $ Alert // BAD
if (ret <0)
break;
if (ret == 0 || ret > len)
@@ -194,7 +194,7 @@ static void badTest8(const char* ptr,wchar_t *wc)
int len;
len = strlen(ptr);
while (*ptr && len > 0) {
ret = mbtowc(wc, ptr, len); // BAD
ret = mbtowc(wc, ptr, len); // $ Alert // BAD
if (ret <0)
break;
if (ret == 0 || ret > len)

View File

@@ -25,8 +25,8 @@ void* calloc (size_t num, size_t size);
void* malloc (size_t size);
static void badTest1(void *src, int size) {
WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, (LPSTR)src, size, 0, 0); // BAD
MultiByteToWideChar(CP_ACP, 0, (LPCSTR)src, -1, (LPCWSTR)src, 30); // BAD
WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, (LPSTR)src, size, 0, 0); // $ Alert // BAD
MultiByteToWideChar(CP_ACP, 0, (LPCSTR)src, -1, (LPCWSTR)src, 30); // $ Alert // BAD
}
void goodTest2(){
wchar_t src[] = L"0123456789ABCDEF";
@@ -42,7 +42,7 @@ void goodTest2(){
static void badTest2(){
wchar_t src[] = L"0123456789ABCDEF";
char dst[16];
WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // BAD
WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // $ Alert // BAD
printf("%s\n", dst);
}
static void goodTest3(){
@@ -55,7 +55,7 @@ static void badTest3(){
char src[] = "0123456789ABCDEF";
int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
wchar_t * dst = (wchar_t*)calloc(size + 1, 1);
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // $ Alert // BAD
}
static void goodTest4(){
char src[] = "0123456789ABCDEF";
@@ -67,13 +67,13 @@ static void badTest4(){
char src[] = "0123456789ABCDEF";
int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
wchar_t * dst = (wchar_t*)malloc(size + 1);
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // $ Alert // BAD
}
static int goodTest5(void *src){
return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 0, 0, 0); // GOOD
}
static int badTest5 (void *src) {
return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 3, 0, 0); // BAD
return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 3, 0, 0); // $ Alert // BAD
}
static void goodTest6(WCHAR *src)
{
@@ -90,6 +90,6 @@ static void goodTest6(WCHAR *src)
static void badTest6(WCHAR *src)
{
char dst[5] ="";
WideCharToMultiByte(CP_ACP, 0, src, -1, dst, 260, 0, 0); // BAD
WideCharToMultiByte(CP_ACP, 0, src, -1, dst, 260, 0, 0); // $ Alert // BAD
printf("%s\n", dst);
}

View File

@@ -12,11 +12,11 @@ size_t mbsrtowcs(wchar_t *wcstr,const char *mbstr,size_t count, mbstate_t *mbsta
static void badTest1(void *src, int size) {
mbstowcs((wchar_t*)src,(char*)src,size); // BAD
mbstowcs((wchar_t*)src,(char*)src,size); // $ Alert // BAD
_locale_t locale;
_mbstowcs_l((wchar_t*)src,(char*)src,size,locale); // BAD
_mbstowcs_l((wchar_t*)src,(char*)src,size,locale); // $ Alert // BAD
mbstate_t *mbstate;
mbsrtowcs((wchar_t*)src,(char*)src,size,mbstate); // BAD
mbsrtowcs((wchar_t*)src,(char*)src,size,mbstate); // $ Alert // BAD
}
static void goodTest2(){
char src[] = "0123456789ABCDEF";
@@ -32,7 +32,7 @@ static void goodTest2(){
static void badTest2(){
char src[] = "0123456789ABCDEF";
wchar_t dst[16];
mbstowcs(dst, src,16); // BAD
mbstowcs(dst, src,16); // $ Alert // BAD
printf("%s\n", dst);
}
static void goodTest3(){
@@ -45,7 +45,7 @@ static void badTest3(){
char src[] = "0123456789ABCDEF";
int size = mbstowcs(NULL, src,NULL);
wchar_t * dst = (wchar_t*)calloc(size + 1, 1);
mbstowcs(dst, src,size+1); // BAD
mbstowcs(dst, src,size+1); // $ Alert // BAD
}
static void goodTest4(){
char src[] = "0123456789ABCDEF";
@@ -57,13 +57,13 @@ static void badTest4(){
char src[] = "0123456789ABCDEF";
int size = mbstowcs(NULL, src,NULL);
wchar_t * dst = (wchar_t*)malloc(size + 1);
mbstowcs(dst, src,size+1); // BAD
mbstowcs(dst, src,size+1); // $ Alert // BAD
}
static int goodTest5(void *src){
return mbstowcs(NULL, (char*)src,NULL); // GOOD
}
static int badTest5 (void *src) {
return mbstowcs(NULL, (char*)src,3); // BAD
return mbstowcs(NULL, (char*)src,3); // $ Alert // BAD
}
static void goodTest6(void *src){
wchar_t dst[5];
@@ -77,6 +77,6 @@ static void goodTest6(void *src){
}
static void badTest6(void *src){
wchar_t dst[5];
mbstowcs(dst, (char*)src,260); // BAD
mbstowcs(dst, (char*)src,260); // $ Alert // BAD
printf("%s\n", dst);
}

View File

@@ -13,7 +13,7 @@ static size_t badTest1(unsigned char *src){
int cb = 0;
unsigned char dst[50];
while( cb < sizeof(dst) )
dst[cb++]=*src++; // BAD
dst[cb++]=*src++; // $ Alert // BAD
return _mbclen(dst);
}
static void goodTest2(unsigned char *src){
@@ -33,7 +33,7 @@ static void badTest2(unsigned char *src){
unsigned char dst[50];
while( cb < sizeof(dst) )
{
_mbccpy(dst+cb,src); // BAD
_mbccpy(dst+cb,src); // $ Alert // BAD
cb+=_mbclen(src);
src=_mbsinc(src);
}
@@ -44,5 +44,5 @@ static void goodTest3(){
}
static void badTest3(){
wchar_t name[50];
name[sizeof(name) - 1] = L'\0'; // BAD
name[sizeof(name) - 1] = L'\0'; // $ Alert // BAD
}

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
query: experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -10,31 +10,31 @@ void test()
int y = getAnInt();
char *buffer1 = (char *)malloc(x + y); // GOOD
char *buffer2 = (char *)malloc(x * y); // BAD
char *buffer2 = (char *)malloc(x * y); // $ Alert // BAD
int *buffer3 = (int *)malloc(x * sizeof(int)); // GOOD
int *buffer4 = (int *)malloc(x * y * sizeof(int)); // BAD
int *buffer4 = (int *)malloc(x * y * sizeof(int)); // $ Alert // BAD
if ((x <= 1000) && (y <= 1000))
{
char *buffer5 = (char *)malloc(x * y); // GOOD [FALSE POSITIVE]
char *buffer5 = (char *)malloc(x * y); // $ SPURIOUS: Alert // GOOD [FALSE POSITIVE]
}
size_t size1 = x * y;
char *buffer5 = (char *)malloc(size1); // BAD
size_t size1 = x * y; // $ Source
char *buffer5 = (char *)malloc(size1); // $ Alert // BAD
size_t size2 = x;
size2 *= y;
char *buffer6 = (char *)malloc(size2); // BAD [NOT DETECTED]
char *buffer6 = (char *)malloc(size2); // $ MISSING: Alert // BAD [NOT DETECTED]
char *buffer7 = new char[x * 10]; // GOOD
char *buffer8 = new char[x * y]; // BAD
char *buffer9 = new char[x * x]; // BAD
char *buffer8 = new char[x * y]; // $ Alert // BAD
char *buffer9 = new char[x * x]; // $ Alert // BAD
}
// --- custom allocators ---
void *MyMalloc1(size_t size) { return malloc(size); } // [additional detection here]
void *MyMalloc1(size_t size) { return malloc(size); } // $ Alert // [additional detection here]
void *MyMalloc2(size_t size);
void customAllocatorTests()
@@ -42,6 +42,6 @@ void customAllocatorTests()
int x = getAnInt();
int y = getAnInt();
char *buffer1 = (char *)MyMalloc1(x * y); // BAD
char *buffer2 = (char *)MyMalloc2(x * y); // BAD
char *buffer1 = (char *)MyMalloc1(x * y); // $ Alert Source // BAD
char *buffer2 = (char *)MyMalloc2(x * y); // $ Alert // BAD
}

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
query: experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -6,17 +6,17 @@ void functionWork(char aA[10],unsigned int aUI) {
int aI;
aI = (aUI*8)/10; // GOOD
aI = aUI*8; // BAD
aI = aUI*8; // $ Alert // BAD
aP = aA+aI;
aI = (int)aUI*8; // GOOD
aL = (unsigned long)(aI*aI); // BAD
aL = (unsigned long)(aI*aI); // $ Alert // BAD
aL = ((unsigned long)aI*aI); // GOOD
testCall((unsigned long)(aI*aI)); // BAD
testCall((unsigned long)(aI*aI)); // $ Alert // BAD
testCall(((unsigned long)aI*aI)); // GOOD
if((unsigned long)(aI*aI) > aL) // BAD
if((unsigned long)(aI*aI) > aL) // $ Alert // BAD
return;
if(((unsigned long)aI*aI) > aL) // GOOD
return;

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
query: experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -15,49 +15,49 @@ void test()
unsigned short b1 = getAnUnsignedShort();
unsigned short c1 = getAnUnsignedShort();
if (a+b>c) a = c-b; // BAD
if (a+b>c) { a = c-b; } // BAD
if (b+a>c) a = c-b; // BAD
if (b+a>c) { a = c-b; } // BAD
if (c>a+b) a = c-b; // BAD
if (c>a+b) { a = c-b; } // BAD
if (c>b+a) a = c-b; // BAD
if (c>b+a) { a = c-b; } // BAD
if (a+b>c) a = c-b; // $ Alert // BAD
if (a+b>c) { a = c-b; } // $ Alert // BAD
if (b+a>c) a = c-b; // $ Alert // BAD
if (b+a>c) { a = c-b; } // $ Alert // BAD
if (c>a+b) a = c-b; // $ Alert // BAD
if (c>a+b) { a = c-b; } // $ Alert // BAD
if (c>b+a) a = c-b; // $ Alert // BAD
if (c>b+a) { a = c-b; } // $ Alert // BAD
if (a+b>=c) a = c-b; // BAD
if (a+b>=c) { a = c-b; } // BAD
if (b+a>=c) a = c-b; // BAD
if (b+a>=c) { a = c-b; } // BAD
if (c>=a+b) a = c-b; // BAD
if (c>=a+b) { a = c-b; } // BAD
if (c>=b+a) a = c-b; // BAD
if (c>=b+a) { a = c-b; } // BAD
if (a+b>=c) a = c-b; // $ Alert // BAD
if (a+b>=c) { a = c-b; } // $ Alert // BAD
if (b+a>=c) a = c-b; // $ Alert // BAD
if (b+a>=c) { a = c-b; } // $ Alert // BAD
if (c>=a+b) a = c-b; // $ Alert // BAD
if (c>=a+b) { a = c-b; } // $ Alert // BAD
if (c>=b+a) a = c-b; // $ Alert // BAD
if (c>=b+a) { a = c-b; } // $ Alert // BAD
if (a+b<c) a = c-b; // BAD
if (a+b<c) { a = c-b; } // BAD
if (b+a<c) a = c-b; // BAD
if (b+a<c) { a = c-b; } // BAD
if (c<a+b) a = c-b; // BAD
if (c<a+b) { a = c-b; } // BAD
if (c<b+a) a = c-b; // BAD
if (c<b+a) { a = c-b; } // BAD
if (a+b<c) a = c-b; // $ Alert // BAD
if (a+b<c) { a = c-b; } // $ Alert // BAD
if (b+a<c) a = c-b; // $ Alert // BAD
if (b+a<c) { a = c-b; } // $ Alert // BAD
if (c<a+b) a = c-b; // $ Alert // BAD
if (c<a+b) { a = c-b; } // $ Alert // BAD
if (c<b+a) a = c-b; // $ Alert // BAD
if (c<b+a) { a = c-b; } // $ Alert // BAD
if (a+b<=c) a = c-b; // BAD
if (a+b<=c) { a = c-b; } // BAD
if (b+a<=c) a = c-b; // BAD
if (b+a<=c) { a = c-b; } // BAD
if (c<=a+b) a = c-b; // BAD
if (c<=a+b) { a = c-b; } // BAD
if (c<=b+a) a = c-b; // BAD
if (c<=b+a) { a = c-b; } // BAD
if (a+b<=c) a = c-b; // $ Alert // BAD
if (a+b<=c) { a = c-b; } // $ Alert // BAD
if (b+a<=c) a = c-b; // $ Alert // BAD
if (b+a<=c) { a = c-b; } // $ Alert // BAD
if (c<=a+b) a = c-b; // $ Alert // BAD
if (c<=a+b) { a = c-b; } // $ Alert // BAD
if (c<=b+a) a = c-b; // $ Alert // BAD
if (c<=b+a) { a = c-b; } // $ Alert // BAD
if (a+b>d) a = d-b; // BAD
if (a+b>d) a = d-b; // $ Alert // BAD
if (a+(double)b>c) a = c-b; // GOOD
if (a+(-x)>c) a = c-(-y); // GOOD
if (a+b>c) { b++; a = c-b; } // GOOD
if (a+d>c) a = c-d; // GOOD
if (a1+b1>c1) a1 = c1-b1; // GOOD
if (a+b<=c) { /* ... */ } else { a = c-b; } // BAD
if (a+b<=c) { return; } a = c-b; // BAD
if (a+b<=c) { /* ... */ } else { a = c-b; } // $ Alert // BAD
if (a+b<=c) { return; } a = c-b; // $ Alert // BAD
}

View File

@@ -1 +1,2 @@
experimental/Likely Bugs/ArrayAccessProductFlow.ql
query: experimental/Likely Bugs/ArrayAccessProductFlow.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -1,13 +1,13 @@
char *malloc(int size);
void test1(int size) {
char *arr = malloc(size);
char *arr = malloc(size); // $ Source
for (int i = 0; i < size; i++) {
arr[i] = 0; // GOOD
}
for (int i = 0; i <= size; i++) {
arr[i] = i; // BAD
arr[i] = i; // $ Alert // BAD
}
}
@@ -18,7 +18,7 @@ typedef struct {
array_t mk_array(int size) {
array_t arr;
arr.p = malloc(size);
arr.p = malloc(size); // $ Source
arr.size = size;
return arr;
@@ -32,7 +32,7 @@ void test2(int size) {
}
for (int i = 0; i <= arr.size; i++) {
arr.p[i] = i; // BAD
arr.p[i] = i; // $ Alert // BAD
}
}
@@ -42,7 +42,7 @@ void test3_callee(array_t arr) {
}
for (int i = 0; i <= arr.size; i++) {
arr.p[i] = i; // BAD
arr.p[i] = i; // $ Alert // BAD
}
}
@@ -52,7 +52,7 @@ void test3(int size) {
void test4(int size) {
array_t arr;
arr.p = malloc(size);
arr.p = malloc(size); // $ Source
arr.size = size;
for (int i = 0; i < arr.size; i++) {
@@ -60,13 +60,13 @@ void test4(int size) {
}
for (int i = 0; i <= arr.size; i++) {
arr.p[i] = i; // BAD
arr.p[i] = i; // $ Alert // BAD
}
}
array_t *mk_array_p(int size) {
array_t *arr = (array_t*) malloc(sizeof(array_t));
arr->p = malloc(size);
arr->p = malloc(size); // $ Source
arr->size = size;
return arr;
@@ -80,7 +80,7 @@ void test5(int size) {
}
for (int i = 0; i <= arr->size; i++) {
arr->p[i] = i; // BAD
arr->p[i] = i; // $ Alert // BAD
}
}
@@ -90,7 +90,7 @@ void test6_callee(array_t *arr) {
}
for (int i = 0; i <= arr->size; i++) {
arr->p[i] = i; // BAD
arr->p[i] = i; // $ Alert // BAD
}
}
@@ -105,6 +105,6 @@ void test7(int size) {
}
for (char *p = arr; p <= arr + size; p++) {
*p = 0; // BAD [NOT DETECTED]
*p = 0; // $ MISSING: Alert // BAD [NOT DETECTED]
}
}

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
query: experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -32,60 +32,60 @@ void testOneArray(OneArray *arr) {
void testBig(BigArray *arr) {
arr->buf[MAX_SIZE-1] = 0; // GOOD
arr->buf[MAX_SIZE] = 0; // BAD
arr->buf[MAX_SIZE+1] = 0; // BAD
arr->buf[MAX_SIZE] = 0; // $ Alert // BAD
arr->buf[MAX_SIZE+1] = 0; // $ Alert // BAD
for(int i = 0; i < MAX_SIZE; i++) {
arr->buf[i] = 0; // GOOD
}
for(int i = 0; i <= MAX_SIZE; i++) {
arr->buf[i] = 0; // BAD
arr->buf[i] = 0; // $ Alert // BAD
}
}
void testFields(ArrayAndFields *arr) {
arr->buf[MAX_SIZE-1] = 0; // GOOD
arr->buf[MAX_SIZE] = 0; // BAD?
arr->buf[MAX_SIZE+1] = 0; // BAD?
arr->buf[MAX_SIZE] = 0; // $ Alert // BAD?
arr->buf[MAX_SIZE+1] = 0; // $ Alert // BAD?
for(int i = 0; i < MAX_SIZE; i++) {
arr->buf[i] = 0; // GOOD
}
for(int i = 0; i <= MAX_SIZE; i++) {
arr->buf[i] = 0; // BAD?
arr->buf[i] = 0; // $ Alert // BAD?
}
for(int i = 0; i < MAX_SIZE+2; i++) {
arr->buf[i] = 0; // BAD?
arr->buf[i] = 0; // $ Alert // BAD?
}
// is this different if it's a memcpy?
}
void assignThroughPointer(int *p) {
void assignThroughPointer(int *p) { // $ Sink
*p = 0; // ??? should the result go at a flow source?
}
void addToPointerAndAssign(int *p) {
p[MAX_SIZE-1] = 0; // GOOD
p[MAX_SIZE] = 0; // BAD
p[MAX_SIZE] = 0; // $ Alert // BAD
}
void testInterproc(BigArray *arr) {
assignThroughPointer(&arr->buf[MAX_SIZE-1]); // GOOD
assignThroughPointer(&arr->buf[MAX_SIZE]); // BAD
assignThroughPointer(&arr->buf[MAX_SIZE]); // $ Alert // BAD
addToPointerAndAssign(arr->buf);
addToPointerAndAssign(arr->buf); // $ Source
}
#define MAX_SIZE_BYTES 4096
void testCharIndex(BigArray *arr) {
char *charBuf = (char*) arr->buf;
char *charBuf = (char*) arr->buf; // $ Source
charBuf[MAX_SIZE_BYTES - 1] = 0; // GOOD
charBuf[MAX_SIZE_BYTES] = 0; // BAD
charBuf[MAX_SIZE_BYTES] = 0; // $ Alert // BAD
}
void testEqRefinement() {
@@ -125,7 +125,7 @@ void testStackAllocated() {
char *arr[MAX_SIZE];
for(int i = 0; i <= MAX_SIZE; i++) {
arr[i] = 0; // BAD
arr[i] = 0; // $ Alert // BAD
}
}
@@ -133,18 +133,18 @@ int strncmp(const char*, const char*, int);
char testStrncmp2(char *arr) {
if(strncmp(arr, "<test>", 6) == 0) {
arr += 6;
arr += 6; // $ Alert
}
return *arr; // GOOD [FALSE POSITIVE]
return *arr; // $ SPURIOUS: Sink // GOOD [FALSE POSITIVE]
}
void testStrncmp1() {
char asdf[5];
testStrncmp2(asdf);
testStrncmp2(asdf); // $ Source
}
void countdownBuf1(int **p) {
*--(*p) = 1; // GOOD [FALSE POSITIVE]
*--(*p) = 1; // $ SPURIOUS: Sink // GOOD [FALSE POSITIVE]
*--(*p) = 2; // GOOD
*--(*p) = 3; // GOOD
*--(*p) = 4; // GOOD
@@ -153,7 +153,7 @@ void countdownBuf1(int **p) {
void countdownBuf2() {
int buf[4];
int *x = buf + 4;
int *x = buf + 4; // $ Alert
countdownBuf1(&x);
}
@@ -182,7 +182,7 @@ int countdownLength1(int *p, int len) {
}
int callCountdownLength() {
int buf[6];
return countdownLength1(buf, 6);
@@ -192,7 +192,7 @@ int countdownLength2() {
int buf[6];
int len = 6;
int *p = buf;
if(len % 8) {
return -1;
}
@@ -215,10 +215,10 @@ int countdownLength2() {
void pointer_size_larger_than_array_element_size() {
unsigned char buffer[100]; // getByteSize() = 100
int *ptr = (int *)buffer; // pai.getElementSize() will be sizeof(int) = 4 -> size = 25
int *ptr = (int *)buffer; // $ Source // pai.getElementSize() will be sizeof(int) = 4 -> size = 25
ptr[24] = 0; // GOOD: writes bytes 96, 97, 98, 99
ptr[25] = 0; // BAD: writes bytes 100, 101, 102, 103
ptr[25] = 0; // $ Alert // BAD: writes bytes 100, 101, 102, 103
}
struct vec2 { int x, y; };
@@ -226,10 +226,10 @@ struct vec3 { int x, y, z; };
void pointer_size_smaller_than_array_element_size_but_does_not_divide_it() {
vec3 array[3]; // getByteSize() = 9 * sizeof(int)
vec2 *ptr = (vec2 *)array; // pai.getElementSize() will be 2 * sizeof(int) -> size = 4
vec2 *ptr = (vec2 *)array; // $ Source // pai.getElementSize() will be 2 * sizeof(int) -> size = 4
ptr[3] = vec2{}; // GOOD: writes ints 6, 7
ptr[4] = vec2{}; // BAD: writes ints 8, 9
ptr[4] = vec2{}; // $ Alert // BAD: writes ints 8, 9
}
void pointer_size_larger_than_array_element_size_and_does_not_divide_it() {
@@ -258,7 +258,7 @@ void call_use(unsigned char* p, int n) {
if(n == 3) {
unsigned char x = p[0];
unsigned char y = p[1];
unsigned char z = p[2]; // GOOD [FALSE POSITIVE]: `call_use(buffer2, 2)` won't reach this point.
unsigned char z = p[2]; // $ SPURIOUS: Alert // GOOD [FALSE POSITIVE]: `call_use(buffer2, 2)` won't reach this point.
use(x, y, z);
}
}
@@ -283,7 +283,7 @@ void test_call_use2() {
call_call_use(buffer1,1);
unsigned char buffer2[2];
call_call_use(buffer2,2);
call_call_use(buffer2,2); // $ Source
unsigned char buffer3[3];
call_call_use(buffer3,3);
@@ -296,7 +296,7 @@ int guardingCallee(int *arr, int size) {
int sum;
for (int i = 0; i < size; i++) {
sum += arr[i]; // GOOD [FALSE POSITIVE] - guarded by size
sum += arr[i]; // $ SPURIOUS: Alert // GOOD [FALSE POSITIVE] - guarded by size
}
return sum;
}
@@ -304,9 +304,9 @@ int guardingCallee(int *arr, int size) {
int guardingCaller() {
int arr1[MAX_SIZE];
guardingCallee(arr1, MAX_SIZE);
int arr2[10];
guardingCallee(arr2, 10);
guardingCallee(arr2, 10); // $ Source
}
// simplified md5 padding
@@ -319,10 +319,10 @@ void correlatedCondition(int num) {
end = temp + 56;
}
else if (num < 64) {
end = temp + 64; // GOOD [FALSE POSITVE]
end = temp + 64; // $ SPURIOUS: Alert // GOOD [FALSE POSITVE]
}
char *temp2 = temp + num;
while(temp2 != end) {
while(temp2 != end) { // $ Sink
*temp2 = 0;
temp2++;
}

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -9,7 +9,7 @@ int main(int argc, char *argv[])
{
//umask(0022);
FILE *fp;
fp = fopen("myFile.txt","w"); // BAD
fp = fopen("myFile.txt","w"); // $ Alert // BAD
//chmod("myFile.txt",0644);
fprintf(fp,"%s\n","data to file");
fclose(fp);

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -10,8 +10,8 @@ int main(int argc, char *argv[])
{
FILE *fp;
char buf[128];
fp = fopen("myFile.txt","r+"); // BAD [NOT DETECTED]
fgets(buf,128,fp);
fp = fopen("myFile.txt","r+"); // $ MISSING: Alert // BAD [NOT DETECTED]
fgets(buf,128,fp);
fprintf(fp,"%s\n","data to file");
fclose(fp);
return 0;

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
query: experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -9,13 +9,13 @@ int chdir(char *path);
void exit(int status);
int funTest1(){
if (chroot("/myFold/myTmp") == -1) { // BAD
if (chroot("/myFold/myTmp") == -1) { // $ Alert // BAD
exit(-1);
}
return 0;
}
int funTest2(){
int funTest2(){
if (chdir("/myFold/myTmp") == -1) { // GOOD
exit(-1);
}
@@ -25,8 +25,8 @@ int funTest2(){
return 0;
}
int funTest3(){
chdir("/myFold/myTmp"); // BAD
int funTest3(){
chdir("/myFold/myTmp"); // $ Alert // BAD
return 0;
}
int main(int argc, char *argv[])

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
query: experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -6,7 +6,7 @@ int fclose(FILE *stream);
void funcTest1()
{
umask(0666); // BAD
umask(0666); // $ Alert // BAD
FILE *fe;
fe = fopen("myFile.txt", "wt");
fclose(fe);
@@ -27,7 +27,7 @@ void funcTest2(int mode)
FILE *fe;
fe = fopen("myFile.txt", "wt");
fclose(fe);
chmod("myFile.txt",0555-mode); // BAD
chmod("myFile.txt",0555-mode); // $ Alert // BAD
}
void funcTest2g(int mode)

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-285/PamAuthorization.ql
query: experimental/Security/CWE/CWE-285/PamAuthorization.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -26,7 +26,7 @@ bool PamAuthBad(const std::string &username_in,
return false;
}
err = pam_authenticate(pamh, 0);
err = pam_authenticate(pamh, 0); // $ Alert
if (err != PAM_SUCCESS)
return err;

View File

@@ -7,7 +7,7 @@ namespace std{
CURLOPT_URL,
CURLOPT_SSL_VERIFYHOST,
CURLOPT_SSL_VERIFYPEER
};
};
CURL *curl_easy_init();
void curl_easy_cleanup(CURL *handle);
@@ -22,8 +22,8 @@ char host[] = "codeql.com";
void bad(void) {
std::unique_ptr<CURL> curl = std::unique_ptr<CURL>(curl_easy_init());
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0);
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0); // $ Alert
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0); // $ Alert
curl_easy_setopt(curl.get(), CURLOPT_URL, host);
curl_easy_perform(curl.get());
}
@@ -31,7 +31,7 @@ void bad(void) {
void good(void) {
std::unique_ptr<CURL> curl = std::unique_ptr<CURL>(curl_easy_init());
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 2);
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 2);
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 2);
curl_easy_setopt(curl.get(), CURLOPT_URL, host);
curl_easy_perform(curl.get());
}
@@ -40,4 +40,3 @@ int main(int c, char** argv){
bad();
good();
}

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-295/CurlSSL.ql
query: experimental/Security/CWE/CWE-295/CurlSSL.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
query: experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -54,7 +54,7 @@ void file()
FILE *file;
// BAD: write zipcode to file in cleartext
fputs(theZipcode, file);
fputs(theZipcode, file); // $ Alert
// GOOD: encrypt first
char *encrypted = encrypt(theZipcode);
@@ -71,15 +71,15 @@ int main(int argc, char **argv)
char *buff4;
// BAD: write medical to buffer in cleartext
sprintf(buff1, "%s", medical);
sprintf(buff1, "%s", medical); // $ Alert Source
// BAD: write medical to buffer in cleartext
char *temp = medical;
sprintf(buff2, "%s", temp);
char *temp = medical; // $ Source
sprintf(buff2, "%s", temp); // $ Alert
// BAD: write medical to buffer in cleartext
char *buff5 = func(medical);
sprintf(buff3, "%s", buff5);
char *buff5 = func(medical); // $ Source
sprintf(buff3, "%s", buff5); // $ Alert
char *buff6 = encrypt(medical);
// GOOD: encrypt first
@@ -93,10 +93,10 @@ void stream()
ofstream mystream;
// BAD: write zipcode to file in cleartext
mystream << "the zipcode is: " << theZipcode;
mystream << "the zipcode is: " << theZipcode; // $ Alert Source
// BAD: write zipcode to file in cleartext
(mystream << "the zipcode is: ").write(theZipcode, strlen(theZipcode));
(mystream << "the zipcode is: ").write(theZipcode, strlen(theZipcode)); // $ Alert
// GOOD: encrypt first
char *encrypted = encrypt(theZipcode);

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
query: experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -44,13 +44,13 @@ int getSize2(int type) {
int badTestf1(int type, int met) {
int is = getSize(type);
if (met == 1) return 123 / is; // BAD
else return 123 / getSize2(type); // BAD
if (met == 1) return 123 / is; // $ Alert // BAD
else return 123 / getSize2(type); // $ Alert // BAD
}
int badTestf2(int type) {
int is;
is = getSize(type);
return 123 / is; // BAD
return 123 / is; // $ Alert // BAD
}
int badTestf3(int type, int met) {
@@ -58,31 +58,31 @@ int badTestf3(int type, int met) {
is = getSize(type);
switch (met) {
case 1:
if (is >= 0) return 123 / is; // BAD [NOT DETECTED]
if (is >= 0) return 123 / is; // $ MISSING: Alert // BAD [NOT DETECTED]
case 2:
if (0 == is) return 123 / is; // BAD [NOT DETECTED]
if (0 == is) return 123 / is; // $ MISSING: Alert // BAD [NOT DETECTED]
case 3:
if (!is & 123 / is) // BAD
if (!is & 123 / is) // $ Alert // BAD
return 123;
case 4:
if (!is | 123 / is) // BAD
if (!is | 123 / is) // $ Alert // BAD
return 123;
case 5:
if (123 / is || !is) // BAD
if (123 / is || !is) // $ Alert // BAD
return 123;
case 6:
if (123 / is && !is) // BAD
if (123 / is && !is) // $ Alert // BAD
return 123;
case 7:
if (!is) return 123 / is; // BAD
if (!is) return 123 / is; // $ Alert // BAD
case 8:
if (is > -1) return 123 / is; // BAD
if (is > -1) return 123 / is; // $ Alert // BAD
case 9:
if (is < 2) return 123 / is; // BAD
if (is < 2) return 123 / is; // $ Alert // BAD
}
if (is != 0) return -1;
if (is == 0) type += 1;
return 123 / is; // BAD [NOT DETECTED]
return 123 / is; // $ MISSING: Alert // BAD [NOT DETECTED]
}
int goodTestf3(int type, int met) {
@@ -92,7 +92,7 @@ int goodTestf3(int type, int met) {
case 1:
if (is < 0) return 123 / is; // GOOD
case 2:
if (!is && 123 / is) // GOOD
if (!is && 123 / is) // GOOD
return 123;
case 3:
if (!is || 123 / is) // GOOD
@@ -112,10 +112,10 @@ int goodTestf3a(int type, int met) {
if (is < 0)
return 123 / is; // GOOD
case 2:
if (!is && 123 / is) // GOOD
if (!is && 123 / is) // GOOD
return 123;
case 3:
if (!is || 123 / is) // GOOD
if (!is || 123 / is) // GOOD
return 123;
}
return 1;
@@ -125,20 +125,20 @@ int badTestf4(int type) {
int is = getSize(type);
int d;
d = type * is;
return 123 / d; // BAD
return 123 / d; // $ Alert // BAD
}
int badTestf5(int type) {
int is = getSize(type);
int d;
d = is / type;
return 123 / d; // BAD
return 123 / d; // $ Alert // BAD
}
int badTestf6(int type) {
int is = getSize(type);
int d;
d = is / type;
return type * 123 / d; // BAD
return type * 123 / d; // $ Alert // BAD
}
int badTestf7(int type, int met) {
@@ -150,7 +150,7 @@ int badTestf7(int type, int met) {
return 123 / is; // GOOD
}
quit:
return 123 / is; // BAD
return 123 / is; // $ Alert // BAD
}
int goodTestf7(int type, int met) {
@@ -169,8 +169,8 @@ int goodTestf7(int type, int met) {
int badTestf8(int type) {
int is = getSize(type);
type /= is; // BAD
type %= is; // BAD
type /= is; // $ Alert // BAD
type %= is; // $ Alert // BAD
return type;
}
@@ -184,7 +184,7 @@ float getSizeFloat(float type) {
}
float badTestf9(float type) {
float is = getSizeFloat(type);
return 123 / is; // BAD
return 123 / is; // $ Alert // BAD
}
float goodTestf9(float type) {
float is = getSizeFloat(type);
@@ -196,18 +196,18 @@ int badTestf10(int type) {
int out = type;
int is = getSize(type);
if (is > -2) {
out /= 123 / (is + 1); // BAD
out /= 123 / (is + 1); // $ Alert // BAD
}
if (is > 0) {
return 123 / (is - 1); // BAD
return 123 / (is - 1); // $ Alert // BAD
}
if (is <= 0) return 0;
return 123 / (is - 1); // BAD
return 123 / (is - 1); // $ Alert // BAD
return 0;
}
int badTestf11(int type) {
int is = getSize(type);
return 123 / (is - 3); // BAD
return 123 / (is - 3); // $ Alert // BAD
}
int goodTestf11(int type) {
@@ -223,7 +223,7 @@ int badTestf12(FILE * f) {
int a;
int ret = -1;
a = getc(f);
if (a == 0) ret = 123 / a; // BAD [NOT DETECTED]
if (a == 0) ret = 123 / a; // $ MISSING: Alert // BAD [NOT DETECTED]
return ret;
}
@@ -255,14 +255,14 @@ int badMySubDiv(int type, int is) {
void badTestf13(int type) {
int is = getSize(type);
badMyDiv(type, is); // BAD
badMyDiv(type, is - 2); // BAD
badMySubDiv(type, is); // BAD
badMyDiv(type, is); // $ Alert // BAD
badMyDiv(type, is - 2); // $ Alert // BAD
badMySubDiv(type, is); // $ Alert // BAD
goodMyDiv(type, is); // GOOD
if (is < 5)
badMySubDiv(type, is); // BAD
badMySubDiv(type, is); // $ Alert // BAD
if (is < 0)
badMySubDiv(type, is); // BAD [NOT DETECTED]
badMySubDiv(type, is); // $ MISSING: Alert // BAD [NOT DETECTED]
if (is > 5)
badMySubDiv(type, is); // GOOD
if (is == 0)
@@ -270,9 +270,9 @@ void badTestf13(int type) {
if (is > 0)
badMyDiv(type, is); // GOOD
if (is < 5)
badMyDiv(type, is - 3); // BAD
badMyDiv(type, is - 3); // $ Alert // BAD
if (is < 0)
badMyDiv(type, is + 1); // BAD
badMyDiv(type, is + 1); // $ Alert // BAD
if (is > 5)
badMyDiv(type, is - 3); // GOOD
}

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
query: experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -13,7 +13,7 @@ int fclose(FILE *stream);
int funcTest1()
{
FILE *fp;
char *filename = tmpnam(NULL); // BAD
char *filename = tmpnam(NULL); // $ Alert // BAD
fp = fopen(filename,"w");
fprintf(fp,"%s\n","data to file");
fclose(fp);
@@ -39,7 +39,7 @@ int funcTest3()
FILE *fp;
char filename[80];
strcat(filename, "/tmp/tmp.name");
fp = fopen(filename,"w"); // BAD [NOT DETECTED]
fp = fopen(filename,"w"); // $ MISSING: Alert // BAD [NOT DETECTED]
fprintf(fp,"%s\n","data to file");
fclose(fp);
return 0;

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
query: experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -31,7 +31,7 @@ unsigned char * badResize_0(unsigned char * buffer,size_t currentSize,size_t new
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
if (currentSize < newSize)
{
buffer = (unsigned char *)realloc(buffer, newSize);
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
}
return buffer;
}
@@ -60,7 +60,7 @@ unsigned char * badResize_1_0(unsigned char * buffer,size_t currentSize,size_t n
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
if (currentSize < newSize)
{
buffer = (unsigned char *)realloc(buffer, newSize);
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
}
return buffer;
}
@@ -136,7 +136,7 @@ unsigned char * badResize_1_1(unsigned char * buffer,size_t currentSize,size_t n
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
if (currentSize < newSize)
{
buffer = (unsigned char *)realloc(buffer, newSize);
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
}
if(!buffer)
aFakeFailed_1(1, 1);
@@ -183,7 +183,7 @@ unsigned char * badResize_2_0(unsigned char * buffer,size_t currentSize,size_t n
assert(buffer!=0);
if (currentSize < newSize)
{
buffer = (unsigned char *)realloc(buffer, newSize);
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
}
return buffer;
}
@@ -279,7 +279,7 @@ unsigned char *goodResize_3_1(unsigned char *buffer, size_t currentSize, size_t
unsigned char *tmp = buffer;
if (currentSize < newSize)
{
buffer = (unsigned char *)realloc(buffer, newSize);
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
if (buffer == NULL)
{
free(tmp);
@@ -296,7 +296,7 @@ unsigned char *goodResize_3_2(unsigned char *buffer, size_t currentSize, size_t
unsigned char *tmp = buffer;
if (currentSize < newSize)
{
tmp = (unsigned char *)realloc(tmp, newSize);
tmp = (unsigned char *)realloc(tmp, newSize); // $ Alert
if (tmp != 0)
{
buffer = tmp;
@@ -325,7 +325,7 @@ unsigned char * badResize_5_2(unsigned char *buffer, size_t currentSize, size_t
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
if (currentSize < newSize)
{
buffer = (unsigned char *)realloc(buffer, newSize);
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
}
if (cond)
{
@@ -339,7 +339,7 @@ unsigned char * badResize_5_1(unsigned char *buffer, size_t currentSize, size_t
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
if (currentSize < newSize)
{
buffer = (unsigned char *)realloc(buffer, newSize);
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
assert(cond); // irrelevant
}
return buffer;

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-409/DecompressionBombs.ql
query: experimental/Security/CWE/CWE-409/DecompressionBombs.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -15,12 +15,12 @@ BrotliDecoderResult BrotliDecoderDecompressStream(
void brotli_test(int argc, const char **argv) {
uint8_t output[1024];
size_t output_size = sizeof(output);
BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // BAD
BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // $ Alert // BAD
size_t input_size = 1024;
const uint8_t *input_p = (const uint8_t*)argv[2];
uint8_t *output_p = output;
size_t out_size;
BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // BAD
BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // $ Alert // BAD
&output_p, &out_size);
}

View File

@@ -19,7 +19,7 @@ static int read_data(archive *ar) {
size_t size;
la_int64_t offset;
int r = archive_read_data_block(ar, &buff, &size, &offset); // BAD
int r = archive_read_data_block(ar, &buff, &size, &offset); // $ Alert // BAD
if (r == ARCHIVE_EOF)
return ARCHIVE_OK;
if (r < ARCHIVE_OK)

View File

@@ -4,7 +4,7 @@ void minizip_test(int argc, const char **argv);
void zlib_test(int argc, const char **argv);
void zstd_test(int argc, const char **argv);
int main(int argc, const char **argv) {
int main(int argc, const char **argv) { // $ Source
brotli_test(argc, argv);
libarchive_test(argc, argv);
minizip_test(argc, argv);

View File

@@ -14,7 +14,7 @@ void minizip_test(int argc, const char **argv) {
int32_t bytes_read;
char buf[4096];
while(true) {
bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD
bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // $ Alert // BAD
if (bytes_read <= 0) {
break;
}
@@ -23,7 +23,7 @@ void minizip_test(int argc, const char **argv) {
void *zip_reader = mz_zip_reader_create();
mz_zip_reader_open_file(zip_reader, argv[1]);
mz_zip_reader_goto_first_entry(zip_reader);
mz_zip_reader_entry_save(zip_reader, 0, 0); // BAD
mz_zip_reader_entry_save(zip_reader, 0, 0); // $ Alert // BAD
UnzOpen(argv[3]); // BAD
UnzOpen(argv[3]); // $ Alert // BAD
}

View File

@@ -22,7 +22,7 @@ void UnsafeInflate(char *input) {
infstream.next_out = output; // output char array
inflateInit(&infstream);
inflate(&infstream, 0); // BAD
inflate(&infstream, 0); // $ Alert // BAD
}
@@ -38,7 +38,7 @@ void UnsafeGzread(char *fileName) {
gzFile inFileZ = gzopen(fileName, "rb");
unsigned char unzipBuffer[8192];
while (true) {
if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // BAD
if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // $ Alert // BAD
break;
}
}
@@ -48,7 +48,7 @@ void UnsafeGzfread(char *fileName) {
gzFile inFileZ = gzopen(fileName, "rb");
while (true) {
char buffer[1000];
if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD
if (!gzfread(buffer, 999, 1, inFileZ)) { // $ Alert // BAD
break;
}
}
@@ -59,7 +59,7 @@ void UnsafeGzgets(char *fileName) {
char *buffer = new char[4000000000];
char *result;
while (true) {
result = gzgets(inFileZ, buffer, 1000000000); // BAD
result = gzgets(inFileZ, buffer, 1000000000); // $ Alert // BAD
if (result == nullptr) {
break;
}
@@ -74,7 +74,7 @@ void InflateString(char *input) {
uLong source_length = 500;
uLong destination_length = sizeof(output);
uncompress(output, &destination_length, (Bytef *) input, source_length); // BAD
uncompress(output, &destination_length, (Bytef *) input, source_length); // $ Alert // BAD
}
void zlib_test(int argc, char **argv) {

View File

@@ -36,7 +36,7 @@ void zstd_test(int argc, const char **argv) {
ZSTD_inBuffer input = {buffIn, read, 0};
while (input.pos < input.size) {
ZSTD_outBuffer output = {buffOut, buffOutSize, 0};
size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // BAD
size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // $ Alert // BAD
CHECK_ZSTD(ret);
}
}

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-415/DoubleFree.ql
query: experimental/Security/CWE/CWE-415/DoubleFree.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -8,14 +8,14 @@ void workFunction_0(char *s) {
char *buf;
buf = (char *) malloc(intSize);
free(buf); // GOOD
if(buf) free(buf); // BAD
if(buf) free(buf); // $ Alert // BAD
}
void workFunction_1(char *s) {
int intSize = 10;
char *buf;
buf = (char *) malloc(intSize);
free(buf); // GOOD
free(buf); // BAD
free(buf); // $ Alert // BAD
}
void workFunction_2(char *s) {
int intSize = 10;
@@ -54,7 +54,7 @@ void workFunction_5(char *s, int intFlag) {
if(intFlag) {
free(buf); // GOOD
}
free(buf); // BAD
free(buf); // $ Alert // BAD
}
void workFunction_6(char *s, int intFlag) {
int intSize = 10;
@@ -75,7 +75,7 @@ void workFunction_7(char *s) {
char *buf1;
buf = (char *) malloc(intSize);
buf1 = (char *) realloc(buf,intSize*4);
free(buf); // BAD
free(buf); // $ Alert // BAD
}
void workFunction_8(char *s) {
int intSize = 10;

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
query: experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -68,7 +68,7 @@ void funcWork1b() {
}
delete [] bufMyData;
}
} // $ Alert
}
void funcWork1() {
@@ -97,7 +97,7 @@ void funcWork1() {
}
delete [] bufMyData;
}
} // $ Alert
}
void funcWork2() {
@@ -125,7 +125,7 @@ void funcWork2() {
}
delete [] bufMyData;
}
} // $ Alert
}
void funcWork3() {
int a;
@@ -148,7 +148,7 @@ void funcWork3() {
}
delete [] bufMyData;
}
} // $ Alert
}
@@ -180,7 +180,7 @@ void funcWork4b() {
catch (...)
{
delete valData; // BAD
}
} // $ Alert
}
void funcWork5() {
int a;
@@ -218,7 +218,7 @@ void funcWork5b() {
catch (...)
{
delete valData; // BAD
}
} // $ Alert
}
void funcWork6() {
int a;

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
query: experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -25,7 +25,7 @@ void testFunction(char c1,int i1)
case 9:
break;
dafault:
}
} // $ Alert
switch(c1){ // BAD
c1=c1*2;
@@ -35,7 +35,7 @@ void testFunction(char c1,int i1)
break;
case 9:
break;
}
} // $ Alert
if((c1<6)&&(c1>0))
switch(c1){ // BAD
@@ -47,7 +47,7 @@ void testFunction(char c1,int i1)
break;
case 1:
break;
}
} // $ Alert
if((c1<6)&&(c1>0))
switch(c1){ // BAD
@@ -55,6 +55,6 @@ void testFunction(char c1,int i1)
break;
case 1:
break;
}
} // $ Alert
}

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
query: experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -42,7 +42,7 @@ int gootTest2(SSL *ssl)
int badTest1(SSL *ssl)
{
int ret;
switch ((ret = SSL_shutdown(ssl))) {
switch ((ret = SSL_shutdown(ssl))) { // $ Alert
case 1:
break;
case 0:
@@ -58,7 +58,7 @@ int badTest1(SSL *ssl)
int badTest2(SSL *ssl)
{
int ret;
ret = SSL_shutdown(ssl);
ret = SSL_shutdown(ssl); // $ Alert
switch (ret) {
case 1:
break;

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-675/DoubleRelease.ql
query: experimental/Security/CWE/CWE-675/DoubleRelease.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -6,7 +6,7 @@ extern FILE * fe;
void test1()
{
FILE *f;
f = fopen("myFile.txt", "wt");
fclose(f); // GOOD
f = NULL;
@@ -15,9 +15,9 @@ void test1()
void test2()
{
FILE *f;
f = fopen("myFile.txt", "wt");
fclose(f); // BAD
fclose(f); // $ Alert // BAD
fclose(f);
}
@@ -25,17 +25,17 @@ void test3()
{
FILE *f;
FILE *g;
f = fopen("myFile.txt", "wt");
g = f;
fclose(f); // BAD
fclose(f); // $ Alert // BAD
fclose(g);
}
int fGtest4_1()
{
fe = fopen("myFile.txt", "wt");
fclose(fe); // BAD
fe = fopen("myFile.txt", "wt");
fclose(fe); // $ Alert // BAD
return -1;
}
@@ -46,7 +46,7 @@ int fGtest4_2()
}
void Gtest4()
{
{
fGtest4_1();
fGtest4_2();
}
@@ -76,7 +76,7 @@ int main(int argc, char *argv[])
test1();
test2();
test3();
Gtest4();
Gtest5();
return 0;

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
query: experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
query: experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -5,25 +5,25 @@ void workFunction_0(char *s) {
int intSize;
char buf[80];
if(intSize>0 && intSize<80 && memset(buf,0,intSize)) return; // GOOD
if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // BAD
if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // $ Alert[cpp/errors-when-using-bit-operations] // BAD
if(intSize>0 && tmpFunction()) return;
if(intSize<0 & tmpFunction()) return; // BAD
if(intSize<0 & tmpFunction()) return; // $ Alert[cpp/errors-when-using-bit-operations] // BAD
}
void workFunction_1(char *s) {
int intA,intB;
if(intA + intB) return; // BAD
if(intA + intB) return; // $ Alert[cpp/errors-after-refactoring] // BAD
if(intA + intB>4) return; // GOOD
if(intA>0 && (intA + intB)) return; // BAD
if(intA>0 && (intA + intB)) return; // $ Alert[cpp/errors-after-refactoring] // BAD
while(intA>0)
{
if(intB - intA<10) break;
intA--;
}while(intA>0); // BAD
}while(intA>0); // $ Alert[cpp/errors-after-refactoring] // BAD
for(intA=100; intA>0; intA--)
{
if(intB - intA<10) break;
}while(intA>0); // BAD
}while(intA>0); // $ Alert[cpp/errors-after-refactoring] // BAD
while(intA>0)
{
if(intB - intA<10) break;

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
query: experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -32,13 +32,13 @@ void funcTest2()
void funcTest3()
{
std::runtime_error("msg error"); // BAD
std::runtime_error("msg error"); // $ Alert // BAD
throw std::runtime_error("msg error"); // GOOD
}
void TestFunc()
{
funcTest1();
DllMain();
funcTest1(); // $ Alert
DllMain(); // $ Alert
funcTest2();
}

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql
query: experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -49,9 +49,9 @@ int functionWork1b(int retIndex) {
char a[10];
int b;
int *p = &b;
scanf("%i", &i); // BAD
scanf("%s", a); // BAD
scanf("%i", p); // BAD
scanf("%i", &i); // $ Alert // BAD
scanf("%s", a); // $ Alert // BAD
scanf("%i", p); // $ Alert // BAD
if(retIndex == 0)
return (int)*a;
if(retIndex == 1)
@@ -60,7 +60,7 @@ int functionWork1b(int retIndex) {
}
int functionWork1_() {
int i;
scanf("%i",&i); // BAD [NOT DETECTED]
scanf("%i",&i); // $ MISSING: Alert // BAD [NOT DETECTED]
if(i<10)
return -1;
return i;
@@ -102,9 +102,9 @@ int functionWork2b() {
char a[10];
int b;
int *p = &b;
scanf("%i", &i); // BAD
scanf("%s", a); // BAD
scanf("%i", p); // BAD
scanf("%i", &i); // $ Alert // BAD
scanf("%s", a); // $ Alert // BAD
scanf("%i", p); // $ Alert // BAD
globalVal = i;
globalVala = a;
globalValp = p;
@@ -112,12 +112,12 @@ int functionWork2b() {
}
int functionWork2b_() {
char a[10];
scanf("%s", a); // BAD
scanf("%s", a); // $ Alert // BAD
globalVala2 = a[0];
return 0;
}
int functionWork3b(int * i) {
scanf("%i", i); // BAD
scanf("%i", i); // $ Alert // BAD
return 0;
}
int functionWork3() {

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
query: experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -10,10 +10,10 @@ char tmpFunction2(char * buf)
}
void workFunction_0(char *s, char * buf) {
int intA;
intA = tmpFunction1(buf) + tmpFunction2(buf); // BAD
intA = tmpFunction1(buf) + tmpFunction2(buf); // $ Alert // BAD
intA = tmpFunction1(buf); //GOOD
intA += tmpFunction2(buf); // GOOD
buf[intA] = intA++; // BAD
buf[intA] = intA++; // $ Alert // BAD
intA++;
buf[intA] = intA; // GOOD
}

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql
query: experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -1,14 +1,14 @@
void testFunction(int i1, int i2, int i3, bool b1, bool b2, bool b3, char c1)
{
if(b1||b2&&b3) //BAD
if(b1||b2&&b3) // $ Alert //BAD
return;
if((b1||b2)&&b3) //GOOD
return;
if(b1||(b2&&b3)) //GOOD
return;
if(b1||b2&i1) //BAD
if(b1||b2&i1) // $ Alert //BAD
return;
if((b1||b2)&i1) //GOOD
return;
@@ -16,28 +16,28 @@ void testFunction(int i1, int i2, int i3, bool b1, bool b2, bool b3, char c1)
return;
if(b1&&b2&0) //GOOD
return;
if(b1||b2|i1) //BAD
if(b1||b2|i1) // $ Alert //BAD
return;
if((b1||b2)|i1) //GOOD
return;
if(i1|i2&c1) //BAD
if(i1|i2&c1) // $ Alert //BAD
return;
if((i1|i2)&i3) //GOOD
return;
if(i1^i2&c1) //BAD
if(i1^i2&c1) // $ Alert //BAD
return;
if((i1^i2)&i3) //GOOD
return;
if(i1|i2^c1) //BAD
if(i1|i2^c1) // $ Alert //BAD
return;
if((i1|i2)^i3) //GOOD
return;
if(b1|b2^b3) //BAD
if(b1|b2^b3) // $ Alert //BAD
return;
if((b1|b2)^b3) //GOOD
return;
}

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
query: experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
query: experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -12,23 +12,23 @@ void strlen_test1(){
unsigned char buff1[12];
struct buffers buffAll;
struct buffers * buffAll1;
buff1[strlen(buff1)]=0; // BAD
buffAll.array[strlen(buffAll.array)]=0; // BAD
buffAll.pointer[strlen(buffAll.pointer)]=0; // BAD
buffAll1->array[strlen(buffAll1->array)]=0; // BAD
buffAll1->pointer[strlen(buffAll1->pointer)]=0; // BAD
globalBuff1.array[strlen(globalBuff1.array)]=0; // BAD
globalBuff1.pointer[strlen(globalBuff1.pointer)]=0; // BAD
globalBuff2->array[strlen(globalBuff2->array)]=0; // BAD
globalBuff2->pointer[strlen(globalBuff2->pointer)]=0; // BAD
buff1[strlen(buff1)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
buffAll.array[strlen(buffAll.array)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
buffAll.pointer[strlen(buffAll.pointer)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
buffAll1->array[strlen(buffAll1->array)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
buffAll1->pointer[strlen(buffAll1->pointer)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
globalBuff1.array[strlen(globalBuff1.array)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
globalBuff1.pointer[strlen(globalBuff1.pointer)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
globalBuff2->array[strlen(globalBuff2->array)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
globalBuff2->pointer[strlen(globalBuff2->pointer)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
}
void strlen_test2(){
unsigned char buff1[12],buff1_c[12];
struct buffers buffAll,buffAll_c;
struct buffers * buffAll1,*buffAll1_c;
buff1[strlen(buff1_c)]=0; // GOOD
buffAll.array[strlen(buffAll_c.array)]=0; // GOOD
buffAll.pointer[strlen(buffAll.array)]=0; // GOOD

View File

@@ -7,13 +7,13 @@ void testFunction()
int i1,i2,i3;
bool b1,b2,b3;
char c1,c2,c3;
b1 = -b2; //BAD
b1 = -b2; // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] //BAD
b1 = !b2; //GOOD
b1++; //BAD
++b1; //BAD
if(i1=tmpFunc()!=i2) //BAD
b1++; // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] //BAD
++b1; // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] //BAD
if(i1=tmpFunc()!=i2) // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] //BAD
return;
if(i1=tmpFunc()!=11) //BAD
if(i1=tmpFunc()!=11) // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] //BAD
return;
if((i1=tmpFunc())!=i2) //GOOD
return;

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql
query: experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -24,7 +24,7 @@ bool badTest1(SSL *ssl,char *text)
char buf[256];
if( peer = SSL_get_peer_certificate(ssl))
{
X509_NAME_oneline(X509_get_subject_name(peer),buf,1024); // BAD
X509_NAME_oneline(X509_get_subject_name(peer),buf,1024); // $ Alert // BAD
if((char*)strcasestr(buf,text)) return true;
}
return false;

View File

@@ -16,7 +16,7 @@ int main(int argc, char **argv)
// BAD, do not use scanf without specifying a length first
char buf1[10];
scanf("%s", buf1);
scanf("%s", buf1); // $ Alert
// GOOD, length is specified. The length should be one less than the size of the destination buffer, since the last character is the NULL terminator.
char buf2[20];
@@ -25,7 +25,7 @@ int main(int argc, char **argv)
// BAD, do not use scanf without specifying a length first
char file[10];
fscanf(file, "%s", buf2);
fscanf(file, "%s", buf2); // $ Alert
// GOOD, with 'sscanf' the input can be checked first and enough room allocated [FALSE POSITIVE]
if (argc >= 1)
@@ -33,7 +33,7 @@ int main(int argc, char **argv)
char *src = argv[0];
char *dest = (char *)malloc(strlen(src) + 1);
sscanf(src, "%s", dest);
sscanf(src, "%s", dest); // $ Alert
}
return 0;

View File

@@ -1 +1,2 @@
experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
query: experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/IRConsistency.ql
semmle/code/cpp/ir/IRConsistency.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql
semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/implementation/raw/IRConsistency.ql
semmle/code/cpp/ir/implementation/raw/IRConsistency.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql
semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.ql
semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/IRConsistency.ql
semmle/code/cpp/ir/IRConsistency.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/PrintIR.ql
semmle/code/cpp/ir/PrintIR.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql
semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql
semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.ql
semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.ql
semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.ql

Some files were not shown because too many files have changed in this diff Show More